gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 16:01:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(seed): repair deployment_targets FK violation crashing fresh demo boot

Browse Source 
The Rank 5 cloud-target seed rows in `seed_demo.sql` referenced a
non-existent `ag-server` agent_id. On every fresh-clone
`docker compose -f deploy/docker-compose.yml -f deploy/docker-compose.demo.yml up`
the server crash-looped at the demo-seed step:

  pq: insert or update on table "deployment_targets" violates foreign
  key constraint "deployment_targets_agent_id_fkey"

Origin: commit 9a7e818 ("docs, seed: cloud-target operator runbook +
AWS ACM / Azure KV demo seed rows") added the rows but didn't insert
or rebind to a matching agents row. The `ag-server` ID never existed
in seed_demo.sql or anywhere else.

Fix: bind the two cloud targets to the existing cloud sentinel agents
that were already inserted at lines 78-79 (alongside `cloud-gcp-sm`):

  - tgt-aws-acm-prod  → cloud-aws-sm
  - tgt-azure-kv-prod → cloud-azure-kv

These cloud sentinels were inserted in commit 9a7e818's same family
specifically to back agentless cloud targets — exact semantic match.

Why the existing test didn't catch this:
TestRunDemoSeed_AppliesIdempotently in
internal/repository/postgres/seed_test.go calls the same RunSeed +
RunDemoSeed pair the server uses at boot, so it WOULD have caught the
FK violation. But the test depends on a live PostgreSQL container via
testcontainers-go and is gated under `testing.Short()` → the default
`go test ./... -short` lane that `make verify` runs always skipped it.
The dedicated integration lane that strips `-short` either wasn't run
on commit 9a7e818 or the failure was missed. Promoting the test out
from under `-short` is a separate hardening conversation (CI runs
need docker-in-docker which isn't free); that's out of scope for this
hotfix.

Static FK audit confirms the fix:
  Defined agent IDs (12): ag-{data,edge-01,iis,k8s,lb,mac-dev,
    web-prod,web-staging}-prod, cloud-{aws-sm,azure-kv,gcp-sm},
    server-scanner
  Referenced agent_id values in deployment_targets after fix:
    ag-data-prod, ag-edge-01, ag-iis-prod, ag-k8s-prod, ag-lb-prod,
    ag-web-prod, ag-web-staging, cloud-aws-sm, cloud-azure-kv
  Unresolved: zero.

Acceptance gate (operator-side):
  - docker compose -f deploy/docker-compose.yml \
                   -f deploy/docker-compose.demo.yml up -d --build
    against a fresh clone — server boots clean within 30s, dashboard
    at https://localhost:8443 shows the seeded demo data.
This commit is contained in:
shankar0123
2026-05-05 21:03:18 +00:00
parent 1720e11109
commit 7a9ae3157f
1 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
migrations/seed_demo.sql
+12 -2
View File
@@ -95,8 +95,18 @@ INSERT INTO deployment_targets (id, name, type, agent_id, config, enabled, creat
-- Rank 5 cloud target seed rows (2026-05-03 Infisical deep-research deliverable).
-- AWS ACM and Azure Key Vault demo targets so QA can exercise the wiring
-- end-to-end without standing up a real cloud account.
('tgt-aws-acm-prod', 'AWS ACM Production', 'AWSACM', 'ag-server', '{"region": "us-east-1", "tags": {"env": "production", "app": "api-gateway"}}', true, NOW() - INTERVAL '7 days', NOW()),
('tgt-azure-kv-prod', 'Azure KeyVault Prod', 'AzureKeyVault', 'ag-server', '{"vault_url": "https://prod-vault.vault.azure.net", "certificate_name": "api-prod", "credential_mode": "managed_identity", "tags": {"env": "production"}}', true, NOW() - INTERVAL '7 days', NOW())
--
-- 2026-05-05 fresh-clone repair: pre-fix these rows pointed at a
-- non-existent `ag-server` agent_id and the demo seed crashed with
-- `pq: insert or update on table "deployment_targets" violates foreign
-- key constraint "deployment_targets_agent_id_fkey"` on every fresh
-- `docker compose -f deploy/docker-compose.yml -f deploy/docker-compose.demo.yml up`.
-- Bound the AWS target to the existing cloud-aws-sm sentinel agent and
-- the Azure target to cloud-azure-kv (both inserted at lines 78-79
-- alongside cloud-gcp-sm). These cloud sentinels exist precisely for
-- agentless cloud targets — semantic match.
('tgt-aws-acm-prod', 'AWS ACM Production', 'AWSACM', 'cloud-aws-sm', '{"region": "us-east-1", "tags": {"env": "production", "app": "api-gateway"}}', true, NOW() - INTERVAL '7 days', NOW()),
('tgt-azure-kv-prod', 'Azure KeyVault Prod', 'AzureKeyVault', 'cloud-azure-kv', '{"vault_url": "https://prod-vault.vault.azure.net", "certificate_name": "api-prod", "credential_mode": "managed_identity", "tags": {"env": "production"}}', true, NOW() - INTERVAL '7 days', NOW())
ON CONFLICT (id) DO NOTHING;
-- ============================================================